[To_syslog_snare] - Error with SnareCounter max limitation

View thread

Ato33k

Hello guys,

I have a WEC serveur with the last version of Nxlog installed on it. I forward these logs to a Qradar SIEM with the to_syslog_snare(); function in the output module. Everything is working fine in QRadar and the parsing is good.

But when the SnareCounter value exceeds 9999999 in the log, I saw a "Tab" or a "space" and my log is not parsing well anymore in my QRadar. This modification appear between the SnareCounter and the Date value

A working log with the value of the SnareCounter below 9999999

Nov 24 08:42:56 MyServer MSWinEventLog 1 Security 8944 **small space here ** Wed Nov 24 08:42:56

A non working log when the SnareCounter value exceed 9999999

Nov 24 08:41:36 MyServer MSWinEventLog 1 Security 29970217 **big space here ** Wed Nov 24 08:41:36 2021

As you can see, the space in bigger in the second log, and so the parsing is not working on my SIEM anymore.

Anybody can help me regarding this issue ?

Thx !

M.